Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 11 Jul 2022 13:42:37 GMT
From:      Ryan Steinmetz <zi@FreeBSD.org>
To:        ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
Subject:   git: 7b6aed9ac322 - main - security/stunnel: Drop privs by default, update PID file location
Message-ID:  <202207111342.26BDgb8j097823@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help
The branch main has been updated by zi:

URL: https://cgit.FreeBSD.org/ports/commit/?id=7b6aed9ac322d8a3820d8f0615eb623bb815f7ee

commit 7b6aed9ac322d8a3820d8f0615eb623bb815f7ee
Author:     Ryan Steinmetz <zi@FreeBSD.org>
AuthorDate: 2022-07-11 13:41:15 +0000
Commit:     Ryan Steinmetz <zi@FreeBSD.org>
CommitDate: 2022-07-11 13:41:15 +0000

    security/stunnel: Drop privs by default, update PID file location
    
    - Document changes in UPDATING
    
    PR:             249151
    Reported by:     Tatsuki Makino <tatsuki_makino@hotmail.com>
---
 UPDATING                              | 13 +++++++++++++
 security/stunnel/Makefile             |  9 +++++++--
 security/stunnel/files/daemon.conf.in |  3 +++
 security/stunnel/files/pid.conf       |  1 -
 security/stunnel/files/stunnel.in     | 18 ++++++++++++++++--
 security/stunnel/pkg-plist            |  2 +-
 6 files changed, 40 insertions(+), 6 deletions(-)

diff --git a/UPDATING b/UPDATING
index 9e1dc3faf14d..6d76e6add9b7 100644
--- a/UPDATING
+++ b/UPDATING
@@ -5,6 +5,19 @@ they are unavoidable.
 You should get into the habit of checking this file for changes each time
 you update your ports collection, before attempting any port upgrades.
 
+20220711:
+  AFFECTS: users of security/stunnel
+  AUTHOR: zi@FreeBSD.org
+
+  The stunnel port has been updated to drop privileges to the stunnel
+  user by default.
+
+  As a result of this change, the pid file location has changed.  If
+  you have a running copy of stunnel, you should stop the process
+  before performing the upgrade.  Alternatively, you will need to
+  # pkill stunnel;service stunnel start
+  after the upgrade has been completed.
+
 20220628:
   AFFECTS: users of Erlang and Elixir
   AUTHOR: dch@FreeBSD.org
diff --git a/security/stunnel/Makefile b/security/stunnel/Makefile
index 6db2dad118db..ea08a6fc6780 100644
--- a/security/stunnel/Makefile
+++ b/security/stunnel/Makefile
@@ -16,7 +16,7 @@ LICENSE=	GPLv2 GPLv3
 LICENSE_COMB=	dual
 
 BROKEN_SSL=	libressl libressl-devel
-BROKEN_SSL_REASON=	Missing upstream support
+BROKEN_SSL_REASON=	missing upstream support
 
 USES=		cpe libtool perl5 shebangfix ssl
 USE_PERL5=	build
@@ -27,6 +27,10 @@ GNU_CONFIGURE=	yes
 CONFIGURE_ARGS=	--localstatedir=/var/tmp --enable-static --disable-systemd \
 		--with-ssl="${OPENSSLBASE}"
 SHEBANG_FILES=	src/stunnel3.in
+SUB_FILES=	daemon.conf
+SUB_LIST=	STUNNEL_PIDFILE=${STUNNEL_PIDFILE} \
+		STUNNEL_USER=${STUNNEL_USER} \
+		STUNNEL_GROUP=${STUNNEL_GROUP}
 
 OPTIONS_DEFINE=			DOCS EXAMPLES FIPS IPV6 LIBWRAP
 OPTIONS_SINGLE=			THREAD
@@ -42,6 +46,7 @@ FORK_DESC=			Use the fork(3) threading model
 PTHREAD_DESC=			Use the pthread(3) threading model
 UCONTEXT_DESC=			Use the ucontext(3) threading model
 
+STUNNEL_PIDFILE=/var/run/stunnel/stunnel.pid
 STUNNEL_USER?=	stunnel
 STUNNEL_GROUP?=	stunnel
 
@@ -101,7 +106,7 @@ post-build:
 
 post-install:
 	${MKDIR} ${STAGEDIR}${ETCDIR}/conf.d/
-	${INSTALL_DATA} ${FILESDIR}/pid.conf ${STAGEDIR}${ETCDIR}/conf.d/00-pid.conf
+	${INSTALL_DATA} ${WRKDIR}/daemon.conf ${STAGEDIR}${ETCDIR}/conf.d/00-daemon.conf
 
 cert:
 	@${ECHO} ""
diff --git a/security/stunnel/files/daemon.conf.in b/security/stunnel/files/daemon.conf.in
new file mode 100644
index 000000000000..af40302a0927
--- /dev/null
+++ b/security/stunnel/files/daemon.conf.in
@@ -0,0 +1,3 @@
+pid = %%STUNNEL_PIDFILE%%
+setuid = %%STUNNEL_USER%%
+setgid = %%STUNNEL_GROUP%%
diff --git a/security/stunnel/files/pid.conf b/security/stunnel/files/pid.conf
deleted file mode 100644
index f2b23cc181bb..000000000000
--- a/security/stunnel/files/pid.conf
+++ /dev/null
@@ -1 +0,0 @@
-pid = /var/run/stunnel.pid
diff --git a/security/stunnel/files/stunnel.in b/security/stunnel/files/stunnel.in
index a36dd7eb01ed..0d90942e1827 100644
--- a/security/stunnel/files/stunnel.in
+++ b/security/stunnel/files/stunnel.in
@@ -13,9 +13,11 @@
 #				Set it to the full path to the config file
 #				that stunnel will use during the automated
 #				start-up.
-# stunnel_pidfile (str):	Default "%%PREFIX%%/var/stunnel/stunnel.pid"
+# stunnel_pidfile (str):	Default "%%STUNNEL_PIDFILE%%"
 #				Set it to the value of 'pid' in
 #				the stunnel.conf file.
+# stunnel_uid (str):		Default "%%STUNNEL_USER%%"
+# stunnel_gid (str):		Default "%%STUNNEL_GROUP%%"
 #
 
 . /etc/rc.subr
@@ -27,7 +29,9 @@ load_rc_config $name
 
 : ${stunnel_enable="NO"}
 : ${stunnel_config="%%ETCDIR%%/${name}.conf"}
-: ${stunnel_pidfile="/var/run/${name}.pid"}
+: ${stunnel_pidfile="%%STUNNEL_PIDFILE%%"}
+: ${stunnel_uid="%%STUNNEL_USER%%"}
+: ${stunnel_gid="%%STUNNEL_GROUP%%"}
 
 command="%%PREFIX%%/bin/stunnel"
 command_args=${stunnel_config}
@@ -35,4 +39,14 @@ pidfile=${stunnel_pidfile}
 
 required_files="${stunnel_config}"
 
+start_precmd=stunnel_start_precmd
+
+stunnel_start_precmd () {
+	local piddir
+	piddir=`/usr/bin/dirname "${pidfile}"`
+	if [ ! -d "${piddir}" ] ; then
+		/usr/bin/install -d -o "${stunnel_uid}" -g "${stunnel_gid}" "${piddir}"
+	fi
+}
+
 run_rc_command "$1"
diff --git a/security/stunnel/pkg-plist b/security/stunnel/pkg-plist
index f886b2582c5a..2e74830fd335 100644
--- a/security/stunnel/pkg-plist
+++ b/security/stunnel/pkg-plist
@@ -1,7 +1,7 @@
 bin/stunnel
 bin/stunnel3
 %%ETCDIR%%/stunnel.conf-sample
-%%ETCDIR%%/conf.d/00-pid.conf
+%%ETCDIR%%/conf.d/00-daemon.conf
 lib/stunnel/libstunnel.a
 lib/stunnel/libstunnel.so
 man/man8/stunnel.8.gz



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202207111342.26BDgb8j097823>